The Digital Personal Data Protection Act, 2023 (“DPDPA”) recognises the need for individuals to seek protection in respect of their personal data. The law provides certain rights to individuals to whom the personal data relates. These individuals are referred to as “data principals”.

If personal data relates to a child, the term “data principal” includes the child and their parents or lawful guardian. If personal data relates to a person with a disability, the term “data principal” includes the individual and the lawful guardian of such individual.

1.PROCESSING UNDER THE SPDI RULES

The SPDI Rules do not distinguish between employers and other organisations that process personal data, nor do they distinguish between data controllers and data processors. Accordingly, employers are required to comply with all applicable requirements when processing employees’ personal data, including provision of a privacy notice, appointment of a grievance officer, enabling of individuals’ right to access and correct their information, and seeking consent for the processing of sensitive personal data or information.